Skip to content

Security: ivoshemi-sys/oixa-protocol

Security

SECURITY.md

OIXA Protocol — Security Audit Log

Git History Audit — 2026-03-20

Auditor: Claude Code (claude-sonnet-4-6) Trigger: Routine security rotation of protocol wallet key

Findings

Check Result
.env ever committed to git ✅ NEVER — confirmed via git log --all --diff-filter=A -- .env
.env currently tracked by git ✅ NO — git ls-files --error-unmatch .env returns error (not tracked)
.env in .gitignore ✅ YES
Private key in any committed file ✅ NOT FOUND
Old wallet address in committed files ℹ️ Only in .env.example as placeholder format (not real key)

What was audited

  • All 21 commits in git history
  • All file paths matching .env, **/.env, **/.env.*
  • git grep --cached for any staged .env content
  • Full git log -p for any file ever named .env

Result: Git history is clean. No secrets were ever committed.

Wallet Rotation — 2026-03-20

Reason

Proactive security rotation. The original private key was generated 2026-03-18 and stored only in .env (gitignored). Rotation triggered as a precaution to establish clean key hygiene.

Old Wallet

  • Address: 0xB44c6f4b16aE4EAeAe76d7E9c3D269B3824ffa86
  • Status: DEPRECATED — do not fund or use
  • Key exposure: None confirmed (never committed, never transmitted)

New Wallet

  • Address: 0x51BdFbd66c49734E2399768D7a8cD95483102a00
  • Network: Base mainnet (chain ID 8453)
  • Generated: 2026-03-20 using eth_account + secrets.token_hex(32) (cryptographically secure RNG)
  • Key stored: .env (gitignored) — never displayed in output

Files Updated

  • .envPROTOCOL_WALLET + PROTOCOL_PRIVATE_KEY updated
  • WALLET_BACKUP.txt — rotation history recorded
  • .gitignore — expanded to cover *.pid, *.db, WALLET_BACKUP.txt

VPS Key Rotation (root@64.23.235.34)

Status: PENDING MANUAL CONFIRMATION SSH to production VPS requires explicit authorization before execution. To rotate once confirmed:

scp .env root@64.23.235.34:/opt/oixa-protocol/.env
ssh root@64.23.235.34 systemctl restart oixa

.gitignore Coverage — 2026-03-20

Current .gitignore protects:

  • .env — all environment files
  • .env.local — local overrides
  • *.pid — all PID files (oixa.pid, etc.)
  • *.db — all SQLite databases (including server/oixa.db)
  • *.log — all log files
  • WALLET_BACKUP.txt — wallet backup with key location info
  • __pycache__/, *.pyc, *.pyo — Python bytecode

Files removed from git tracking (2026-03-20):

  • WALLET_BACKUP.txt — was tracked, now untracked via git rm --cached
  • oixa.pid — was tracked, now untracked via git rm --cached
  • server/oixa.db — was tracked, now untracked via git rm --cached

Recommendations

  1. VPS rotation: After confirming, run scp .env root@64.23.235.34:/opt/oixa-protocol/.env && ssh root@64.23.235.34 systemctl restart oixa
  2. Hardware wallet: For Phase 2 (real USDC), migrate to Ledger/Trezor
  3. Safe multisig: Deploy Gnosis Safe for multi-signature control before mainnet launch
  4. Key backup: Write private key to paper and store offline (see WALLET_BACKUP.txt)
  5. Escrow contract: ESCROW_CONTRACT_ADDRESS remains unchanged — no redeployment needed unless old key was the contract owner

OIXA Protocol Security | Ivan Shemi | 2026-03-20

There aren't any published security advisories